Simple Proof of Security of the BB84 Quantum Key Distribution Protocol 
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We prove that the 1984 protocol of Bennett and Brassard (BB84) for quantum key distribution 
is secure. We first give a key distribution protocol based on entanglement purification, which can be 
proven secure using methods from Lo and Chau's proof of security for a similar protocol. We then 
show that the security of this protocol implies the security of BB84. The entanglement-purification 
based protocol uses Calderbank-Shor-Steane (CSS) codes, and properties of these codes are used to 
remove the use of quantum computation from the Lo-Chau protocol. 



Quantum cryptography differs from conventional cryp- 
tography in that the data are kept secret by the prop- 
erties of quantum mechanics, rather than the conjec- 
tured difficulty of computing certain functions. The first 
quantum key distribution protocol, proposed in 1984 jy, 
is called BB84 after its inventors (C. H. Bennett and 
G. Brassard). In this protocol, the participants (Alice 
and Bob) wish to agree on a secret key about which no 
eavesdropper (Eve) can obtain significant information. 
Alice sends each bit of the secret key in one of a set 
of conjugate bases which Eve does not know, and this 
key is protected by the impossibility of measuring the 
state of a quantum system simultaneously in two conju- 
gate bases. The original papers proposing quantum key 
distribution ^ proved it secure against certain attacks, 
including those feasible using current experimental tech- 
niques. However, for many years, it was not rigorously 
proven secure against an adversary able to perform any 
physical operation permitted by quantum mechanics. 

Recently, three proofs of the security of quantum key 
distribution protocols have been discovered; however, 
none is entirely satisfactory. One proof M, although 
easy to understand, has the drawback that the proto- 
col requires a quantum computer. The other two ||^|] 
prove the security of a protocol based on BB84, and so 
are applicable to near-practical settings. However, both 
proofs are quite complicated. We give a simpler proof by 
relating the security of BB84 to entanglement purifica- 
tion protocols J5j and quantum error correcting codes || . 
This new proof also may illuminate some properties of 
previous proofs P,H], and thus give insight into them. 
For example, it elucidates why the rates obtainable from 
these proofs are related to rates for CSS codes. The proof 
was in fact inspired by the observation that CSS codes 
are hidden in the inner workings of the proof given in || . 

We first review CSS codes and associated entangle- 
ment purification protocols. Quantum error-correcting 
codes are subspaces of the Hilbert space C 2 which are 
protected from errors in a small number of these qubits, 
so that any such error can be measured and subsequently 
corrected without disturbing the encoded state. A quan- 
tum CSS code Q on n qubits comes from two binary 
codes on n bits, C\ and C2, one contained in the other: 



{0} C C 2 C C x C PJ, 

where F 2 is the binary vector space on n bits Q . 

A set of basis states (which we call codewords) for the 
CSS code subspace can be obtained from vectors v E C\ 
as follows: 
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If vi — V2 G C2, then the codewords corresponding to v\ 
and i>2 are the same. Hence these codewords correspond 
to cosets of C2 in Ci, and this code protects a Hilbert 
space of dimension 2 dimC i- dimC 2. 

The above quantum code is equivalent to the dual code 
Q* obtained from the two binary codes 

{0} c Ci C Ci C F 2 \ 

This equivalence can be demonstrated by applying the 
Hadamard transform 

to each encoding qubit. This transformation interchanges 
the bases | 0), | 1) and | +), | -), where | +) = ^=(| 0) + 

I 1)) and I — ) = -i=(| 0) — 1 1)). It also interchanges the 
two subspaces corresponding to the codes Q and Q*, al- 
though the codewords (given by Eq. [I]) of Q and Q* are 
not likewise interchanged. 

We now make a brief technical detour to define some 
terms. The three Pauli matrices are: 
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The matrix a x applies a bit flip error to a qubit, while 
a z applies a phase flip error. We denote the Pauli matrix 
a a acting on the fc'th bit of the CSS code by a a (k) f° r 
a G {x, y, z}. For a binary vector s, we let 



a(l) 



'o(2) 



'a(3) 



a(n) 



where er° is the identity matrix and Sj is the i'th bit of s. 
The matrices (crl s ') have all eigenvalues ±1. 
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In a classical error correcting code, correction proceeds 
by measuring the syndrome, which is done as follows. A 
parity check matrix H of a code C is a basis of the dual 
vector space C . Suppose that we transmit a codeword 
v, which acquires errors to become w = v + e. The fc'th 
row Tk of the matrix H determines the fc'th bit of the syn- 
drome for w, namely -w (mod 2). The full syndrome is 
thus Hw. If the syndrome is 0, then w £ C. Otherwise, 
the most likely value of the error e can be calculated from 
the syndrome [Q. In our quantum CSS code, we need to 
correct both bit and phase errors. Let H\ be a parity 
check matrix for the code C\, and H 2 one for the code 
C 2 ■ To calculate the syndrome for bit flips, we measure 
the eigenvalue of a z for each row r £ Hi (— l's and l's 
of the eigenvalue correspond to l's and 0's of the syn- 
drome). To calculate the syndrome for phase flips, we 

[rl 

measure the eigenvalue of a x for each row r £ H 2 ■ This 
lets us correct both bit and phase flips, and if we can 
correct up to t of each of these types of errors, we can 
also correct arbitrary errors on up to t qubits Q . 

The useful property of CSS codes for demonstrating 
the security of BB84 is that the error correction for the 
phases is decoupled from that for the bit values, as shown 
above. General quantum stabilizer codes can similarly be 
turned into key distribution protocols, but these appear 
to require a quantum computer to implement. 

If one requires that a CSS code correct all errors on at 
most t = Sn qubits, the best codes that we know exist 
satisfy the quantum Gilbert- Varshamov bound. As the 
block length n goes to infinity, these codes asymptoti- 
cally protect against Sn bit errors and Sn phase errors, 
and encode [1 — 2H(2S)]n qubits, where H is the binary 
Shannon entropy H(p) = — p\og 2 (p) — (1 — p) log 2 (l — p). 
In practice, it is better to only require that random errors 
are corrected with high probability. In this case, codes 
exist that correct Sn random phase errors and Sn random 
bit errors, and which encode [1 — 2H (5)]n qubits. 

We also need a description of the Bell basis. These are 
the four maximally entangled states 

^ = ^=(101^110)), $ ± = i=(|00)±|ll», 

which form an orthogonal basis for the quantum state 
space of two qubits. 

Finally, we introduce a class of quantum error correct- 
ing codes equivalent to Q, and parameterized by two n- 
bit binary vectors x and z. Suppose that Q is determined 
as above by C\ and C 2 . Then Q x . z has basis vectors in- 
dexed by cosets of C 2 in C\, and for v £ C%, the corre- 
sponding codeword is 

V — T7TTTJ2 {-lf' w \x + v + w). (2) 

Quantum error correcting codes and entanglement pu- 
rification protocols are closely connected ||; we now de- 



scribe the entanglement purification protocol correspond- 
ing to the CSS code Q. For now, we assume that the 
codes Ci and C 2 correct up to t errors and that Q en- 
codes to qubits in 77 qubits. Suppose Alice and Bob share 
77 pairs of qubits in a state close to ($+)® n . For the 
entanglement purification protocol, Alice and Bob sepa- 
rately measure the eigenvalues of o z for each row r £ H\ 

[r'l 

and a x for each row r £ H 2 . Note that for these mea- 
surements to be performable simultaneously, they must 

[rl [r'l 

all commute; a z and a x commute because the vector 
spaces Ci and C 2 are orthogonal. 

If Alice and Bob start with 77 perfect EPR pairs, mea- 

[rl [r'l 

suring a z for r G Hi and a x for r £ H 2 projects each 
of their states onto the code subspace Q x , z , where x and 
z are any binary vectors with Hix and H 2 z equal to the 
measured bit and phase syndromes, respectively. After 
projection, the state is ($+)® m encoded by Q x<z . 

Now, suppose that Alice and Bob start with a state 
close to ($+)® n . To be specific, suppose that all their 
EPR pairs are in the Bell basis, with t or fewer bit flips 
or <3>~ pairs) and t or fewer phase flips (<I> - or 'F - 
pairs). If Alice and Bob compare their measurements 
of a z (a x ) , the rows r for which these measurements 
disagree give the bits which are 1 in the bit (phase) syn- 
dromes. From these syndromes, Alice and Bob can com- 
pute the locations of the bit and the phase flips, can 
correct these errors, and can then decode Q x , z to obtain 
m perfect EPR pairs. 

We will show that the following is a secure quantum 
key distribution protocol. 

Protocol 1: Modified Lo-Chau 

1: Alice creates 2n EPR pairs in the state ($ + )®". 
2: Alice selects a random 277 bit string b, and performs 

a Hadamard transform on the second half of each 

EPR pair for which 6 is 1. 
3: Alice sends the second half of each EPR pair to 

Bob. 

4: Bob receives the qubits and publicly announces this 
fact. 

5: Alice selects 77 of the 2n encoded EPR pairs to serve 
as check bits to test for Eve's interference. 

6: Alice announces the bit string b, and which 77 EPR 
pairs are to be check bits. 

7: Bob performs Hadamards on the qubits where b 
is 1. 

8: Alice and Bob each measure their halves of the 77 
check EPR pairs in the | 0), | 1) basis and share the 
results. If too many of these measurements dis- 
agree, they abort the protocol. 

9: Alice and Bob make the measurements on their 

[rl [rl 

code qubits of a z for each row r £ Hi and a x for 
each row r £ H 2 - Alice and Bob share the results, 
compute the syndromes for bit and phase flips, and 
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then transform their state so as to obtain m nearly 
perfect EPR pairs. 
10: Alice and Bob measure the EPR pairs in the | 0), 
1 1) basis to obtain a shared secret key. 

We now show that this protocol works. Namely, we 
show that the probability is exponentially small that Al- 
ice and Bob agree on a key about which Eve can obtain 
more than an exponentially small amount of information. 
We need a result of Lo and Chau 0] that if Alice and 
Bob share a state having fidelity 1 - 2~ s with ($+)® m ? 
then Eve's mutual information with the key is at most 
2 -c + 2 o(-2 S ) w here c = s - log 2 (2rn + s + l/log e 2). 

For the proof, we use an argument based on one from 
Lo and Chau [||. Let us calculate the probability that 
the test on the check bits succeeds while the entangle- 
ment purification on the code bits fails. We do this by 
considering the measurement that projects each of the 
EPR pairs onto the Bell basis. 

We first consider the check bits. Note that for the EPR 
pairs where 6 = 1, Alice and Bob are effectively measur- 
ing them in the | +), | — ) basis rather than the | 0), | 1) 
basis. Now, observe that 

| *+) (*+ 1 + | (*-| = | 01) (01 1 + 1 10) (10 | , 

I *-) <*- I + 1 *-) I = I +-) (+- 1 + 1 -+) <-+ 1 ■ 

These relations show that the rates of bit flip errors and 
of phase flip errors that Alice and Bob estimate from 
their measurements on check bits are the same as they 
would have estimated using the Bell basis measurement. 

We next consider the measurements on the code bits. 
We want to show that the purification protocol applied 
to n pairs produces a state that is close to the encoded 
($+)® m . The purification protocol succeeds perfectly 
acting on the space spanned by Bell pairs that differ from 
($+)® n by t or fewer bit flip errors and by t or fewer 
phase flips errors. Let II denote the projection onto this 
space. Then if the protocol is applied to an initial density 
operator p of the n pairs, it can be shown that the final 
density operator p 1 approximates ($+)® m with fidelity 

F= (($+)® m | p > |($+)® m ) > tr(np) . (3) 

Hence the fidelity is at least as large as the probability 
that t or fewer bit flip errors and t or fewer phase flip 
errors would have been found, if the Bell measurement 
had been performed on all n pairs. 

Now, when Eve has access to the qubits, she does not 
yet know which qubits are check qubits and which are 
code qubits, so she cannot treat them differently. The 
check qubits that Alice and Bob measure thus behave 
like a classical random sample of the qubits. We are 
then able to use the measured error rates in a classical 
probability estimate; we find that probability of obtain- 
ing more than 5n bit (phase) errors on the code bits and 



fewer than (5 — e)n errors on the check bits is asymptoti- 
cally less than exp[— je 2 n/(S — S 2 )]. We conclude that if 
Alice and Bob have greater than an exponentially small 
probability of passing the test, then the fidelity of Alice 
and Bob's state with ($+)® m is exponentially close to 1. 

We now show how to turn this Lo-Chau type proto- 
col into a quantum error-correcting code protocol. Ob- 
serve first that it does not matter whether Alice measures 
her check bits before or after she transmits half of each 
EPR pair to Bob, and similarly that it does not matter 
whether she measures the syndrome before or after this 
transmission. If she measures the check bits first, this is 
the same as choosing a random one of | 0), | 1). If she 
also measures the syndrome first, this is equivalent to 
transmitting m halves of EPR pairs encoded by the CSS 
code Q x ,z for two random vectors x, z £ F£ . The vector 

\r] 

x is determined by the syndrome measurements a z for 
rows r £ H±, and similarly for z. Alice can also measure 
her half of the encoded EPR pairs before or after trans- 
mission. If she measures them first, this is the same as 
choosing a random key k and encoding k using Q x .z- We 
thus obtain the following equivalent protocol. 

Protocol 2: CSS Codes 

1: Alice creates n random check bits, a random m-bit 
key k, and a random 2n-bit string b. 

2: Alice chooses n-bit strings x and z at random. 

3: Alice encodes her key | k) using the CSS code Q XiZ 

4: Alice chooses n positions (out of 2n) and puts the 
check bits in these positions and the code bits in 
the remaining positions. 

5: Alice applies a Hadamard transform to those qubits 
in the positions having 1 in b. 

6: Alice sends the resulting state to Bob. Bob ac- 
knowledges receipt of the qubits. 

7: Alice announces b, the positions of the check bits, 
the values of the check bits, and the x and z deter- 
mining the code Q XtZ . 

8: Bob performs Hadamards on the qubits where b is 
1. 

9: Bob checks whether too many of the check bits have 
been corrupted, and aborts the protocol if so. 
10: Bob decodes the key bits and uses them for the key. 

Intuitively, the security of the protocol depends on the 
fact that for a sufficiently low error rate, a CSS code 
transmits the information encoded by it with very high 
fidelity, so that by the no-cloning principle very little in- 
formation can leak to Eve. 

We now give the final argument that turns the above 
protocol into BB84. First note that, since all Bob cares 
about are the bit values of the encoded key, and the string 
z is only used to correct the phase of the encoded qubits, 
Bob does not need z. This is why we use CSS codes: 
they decouple the phase correction from the bit correc- 
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tion. Let k' £ C\ be a binary vector that is mapped by 
Eq. (j|) to the encoded key. Since Bob never uses z, we 
can assume that Alice does not send it. Averaging over 
z, we see that Alice effectively sends the mixed state 

1 V [ \" f_i\(«)i+«J2)-2 
2 n\c 2 \ 2^1 Z- , y > 

x I k + w\ + x) (k + w 2 + x | 
= iTH 51 I + w + + ™ + 1 1 ' 



\C 2 



(4) 



which is equivalently the mixture of states | k' + x + w) 
with w chosen randomly in C 2 . Let us now look at the 
protocol as a whole. The error correction information Al- 
ice gives Bob is x, and Alice sends | k' + x + w) over the 
quantum channel. Over many iterations of the algorithm, 
these are random variables chosen uniformly in F2 with 
the constraint that their difference k' + w is in C\ . After 



Bob receives k' 



e, he subtracts x, and corrects 



the result to a codeword in C\, which is almost certain 



to be k' 



The key is the coset of k' + w over C 2 . 



In the BB84 protocol given below, Alice sends | v) to 
Bob, with error correction information u + v. These are 
again two random variables uniform in F 2 , with the con- 
straint that u G C\. Bob obtains v + e, subtracts u + v, 
and corrects the result to a codeword in C\ , which with 
high probability is u. The key is then the coset u + C 2 . 
Thus, the two protocols are completely equivalent. 

Protocol 3: BB84 

1: Alice creates (4 + S)n random bits. 

2: Alice chooses a random (4 + <5)n-bit string b. For 

each bit, she creates a state in the |0), 1 1) basis 

(if the corresponding bit of b is 0) or the | +), | — ) 

basis (if the bit of b is 1). 
3: Alice sends the resulting qubits to Bob. 
4: Bob receives the (4 + S)n qubits, measuring each in 

the I 0),| 1) or the | +),| — ) basis at random. 
5: Alice announces b. 

6: Bob discards any results where he measured a dif- 
ferent basis than Alice prepared. With high prob- 
ability, there are at least 2n bits left (if not, abort 
the protocol) . Alice decides randomly on a set of 2n 
bits to use for the protocol, and chooses at random 
n of these to be check bits. 

7: Alice and Bob announce the values of their check 
bits. If too few of these values agree, they abort 
the protocol. 

8: Alice announces u + v, where v is the string con- 
sisting of the remaining non-check bits, and u is a 
random codeword in C\ . 

9: Bob subtracts u + v from his code qubits, v + e, and 
corrects the result, u + e, to a codeword in C\. 
10: Alice and Bob use the coset of u + C 2 as the key. 



There are a few loose ends that need to be tied up. 
The protocol given above uses binary codes C\ and C 2 
with large minimum distance, and thus can obtain rates 
given by the quantum Gilbert- Varshamov bound for CSS 
codes ||. To reach the better Shannon bound for CSS 
codes, we need to use codes for which a random small set 
of phase errors and bit errors can almost always be cor- 
rected. To prove that the protocol works in this case, we 
need to ensure that the errors are indeed random. We do 
this by adding a step where Alice scrambles the qubits 
using a random permutation 7r before sending them to 
Bob, and a step after Bob acknowledges receiving the 
qubits where Alice sends 7r to Bob and he unscrambles 
the qubits. This can work as long as the measured bit 
and phase error rates are less than 11%, the point at 
which the Shannon rate 1 — 2H(5) hits 0. 

For a practical key distribution protocol we need the 
classical code C\ to be efficiently decodeable. As is shown 
in H , we can let C 2 be a random subcode of an efficiently 
decodeable code C\, and with high probability obtain a 
good code C 2 . While known efficiently decodeable codes 
do not meet the Shannon bound, they come fairly close. 

A weakness in both the proof given in this paper and 
the proofs in [^[[J] is that they do not apply to imper- 
fect sources; the sources must be perfect single-photon 
sources. A proof avoiding this difficulty was recently dis- 
covered by Michael Ben-Or it shows that any source 
sufficiently close to a single-photon source is still secure. 
However, most experimental quantum key distribution 
systems use weak coherent sources, and no currently 
known proof covers this case. 
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